Query Details

Connections to commonly abused top level domains

TH Top Level Domains

Query

let abusedTLD = dynamic(["rest", "okinawa", "live", "beauty", "bar", "fit", "gq", "cfd", "zone", "top"]);
DeviceNetworkEvents
| where isnotempty(RemoteUrl)
| extend hasIPinRemoteUrl = iif(indexof_regex(RemoteUrl,@"\b(?:\d{1,3}\.){3}\d{1,3}\b") == -1,false, true)
| where hasIPinRemoteUrl==false
| extend TLD = tostring(split(extract(@"\.([a-zA-Z]{2,}|[a-zA-Z]{2}\.[a-zA-Z]{2})$",0,RemoteUrl,typeof(string)),".")[1])
| where TLD in~ (abusedTLD)
| extend Domain = replace_regex(tostring(extract(@"[^.]+\.[^.]+$",0,RemoteUrl)),"https://","")
| project TimeGenerated, DeviceName,ActionType,RemoteUrl, TLD,Domain, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessAccountName

About this query

Explanation

This KQL query is designed to identify connections to commonly abused top-level domains (TLDs) using Microsoft Defender for Endpoint or Microsoft Sentinel. The query focuses on detecting potentially malicious activity by examining network events, email URLs, and URL click events. Here's a simplified breakdown of the query:

  1. Purpose: The query aims to find connections to domains that are frequently abused for malicious purposes, such as phishing or malware distribution. It uses lists of known abused TLDs to filter out suspicious activities.

  2. Abused TLDs: The query uses a predefined list of TLDs that are known to be commonly abused. This list includes domains like .rest, .okinawa, .live, .beauty, .bar, .fit, .gq, .cfd, .zone, .top, and newer Google domains like .zip and .mov.

  3. Network Events:

    • The query examines network events to find URLs that do not contain an IP address.
    • It extracts the TLD from each URL and checks if it matches any of the known abused TLDs.
    • If a match is found, it projects relevant information such as the time of the event, device name, action type, and other details.
  4. Email URLs:

    • The query looks at URLs found in emails and extracts the domain and TLD.
    • It checks if the TLD is in the list of abused TLDs.
    • It joins this information with email events to provide context, such as the sender's domain and detection methods.
  5. URL Click Events:

    • The query analyzes URL click events to identify clicks on URLs with abused TLDs.
    • It extracts and checks the TLD against the list of known abused TLDs.
    • It projects details like the time of the event, action type, and workload.

Overall, this query helps security analysts identify potentially malicious activities by focusing on connections to domains with a history of abuse, allowing for further investigation and response.

Details

Alex Verboon profile picture

Alex Verboon

Released: August 29, 2025

Tables

DeviceNetworkEventsEmailUrlInfoEmailEventsUrlClickEvents

Keywords

DeviceNetworkEventsEmailUrlInfoClick

Operators

letdynamicDeviceNetworkEventswhereisnotemptyextendiifindexof_regexextracttostringsplitin~replace_regexprojectEmailUrlInfojoinEmailEventsUrlClickEvents

MITRE Techniques

Actions

GitHub